[Freeipa-users] WebUI authentication problems

Petr Vobornik pvoborni at redhat.com
Fri Feb 20 09:53:28 UTC 2015 

On 02/20/2015 09:44 AM, Martin Kosek wrote:
> On 02/20/2015 02:00 AM, Dan Mossor wrote:
>> I just installed a new server on Fedora 21 Server, using the rolekit
>> deployment
>> tool. Everything was installed and configured (I hope) properly, but I'm
>> running into a problem. The version is
>> freeipa-server-4.1.2-1.fc21.x86_64, and
>> I can connect to the WebUI only after a restart of ipa.service.
>>
>> After approximately 15 minutes, I am kicked out of the active session
>> - while
>> in the middle of using it - and cannot log back in.

Default FreeIPA session lifetime is 20mins. Expiration time is extended 
on each request. Session also expires when krb ticket expires. We have 
known issue that Web UI, if SSO is used, does not work if ticket expires 
in 5mins but it produces little bit different output.

>> Login was
>> attempted from 4
>> browsers across two machines, and every time the login screen returns
>> with
>> "Your session has expired. Please re-login."

Does it work if you use forms-based authentication or if you use CLI tool?

>>
>> /var/log/httpd/errors is showing the following:
>> [Fri Feb 20 00:37:03.972736 2015] [auth_kerb:error] [pid 1158] [client
>> 10.1.0.15:54958] gss_accept_sec_context() failed: Unspecified GSS
>> failure.
>> Minor code may provide more information (, ASN.1 structure is missing a
>> required field), referer: https://vader.dom.net/ipa/ui/index.html
>> [Fri Feb 20 00:37:34.300510 2015] [auth_kerb:error] [pid 1173] [client
>> 10.1.0.15:54961] gss_accept_sec_context() failed: Unspecified GSS
>> failure.
>> Minor code may provide more information (, ASN.1 structure is missing a
>> required field), referer: https://vader.dom.net/ipa/ui/index.html
>> [Fri Feb 20 00:37:34.406615 2015] [auth_kerb:error] [pid 1616] [client
>> 10.1.0.15:54965] gss_accept_sec_context() failed: Unspecified GSS
>> failure.
>> Minor code may provide more information (, ASN.1 structure is missing a
>> required field), referer: https://vader.dom.net/ipa/ui/index.html
>> [Fri Feb 20 00:37:50.356014 2015] [auth_kerb:error] [pid 1161] [client
>> 10.1.0.15:54966] gss_accept_sec_context() failed: Unspecified GSS
>> failure.
>> Minor code may provide more information (, ASN.1 structure is missing a
>> required field), referer: https://vader.dom.net/ipa/ui/index.html
>> [Fri Feb 20 00:37:52.263088 2015] [auth_kerb:error] [pid 1417] [client
>> 10.1.0.15:54968] gss_accept_sec_context() failed: Unspecified GSS
>> failure.
>> Minor code may provide more information (, ASN.1 structure is missing a
>> required field), referer: https://vader.dom.net/ipa/ui/index.html
>> [Fri Feb 20 00:37:52.327075 2015] [auth_kerb:error] [pid 1168] [client
>> 10.1.0.15:54967] gss_accept_sec_context() failed: Unspecified GSS
>> failure.
>> Minor code may provide more information (, ASN.1 structure is missing a
>> required field), referer: https://vader.dom.net/ipa/ui/index.html
>> [Fri Feb 20 00:45:35.603016 2015] [auth_kerb:error] [pid 1173] [client
>> 10.1.1.17:54157] gss_accept_sec_context() failed: An unsupported
>> mechanism was
>> requested (, Unknown error), referer: https://vader.dom.net/ipa/ui/

This looks like a culprit to me, though IDK what's its cause. Simo may 
know more.

In a meantime you could try to enable debugging to get more info from 
/var/log/httpd/error_log by creating /etc/ipa/server.conf and restarting 
httpd.

     # cat /etc/ipa/server.conf
     [global]
     debug=True

You could also open browser develeper tools (press F12) and inspect XHR 
communication in network tab [1]. Check especially if some request to 
/ipa/session/json or ipa/session/login_kerberos or 
ipa/session/login_password does not end with 401 Unauthorized status 
code. And then what's the cause of next 401 after series of 200. It 
might contain some pointers. Like session expiration time and such.

[1] https://pvoborni.fedorapeople.org/images/ff-dev-tools-xhr.png

>>
>> Restarting httpd, I can log in, and am immediately logged out again
>> with the
>> above errors.
>>
>> Restarting ipa.service, I was able to log in with my user account, and
>> was
>> notified that my password expires in 0 days - even though it was just
>> created
>> less than an hour ago.

Have you modified Kerberos Ticket Policy or any Password Policy?

>>
>> Is this a known issue, or is there a hidden problem with the rolekit
>> deployment
>> that I need to track down?

It's not a known issue.

>
> CCing Petr for Web UI and Simo for the Kerberos part. We know about
> several common gotchas related to Web UI auth, having them documented on
> http://www.freeipa.org/page/Troubleshooting#Cannot_authenticate_to_Web_UI
>
> But this seems as a new case. You can still check the pointers on this
> page though. If none of them help, it may help to show us:
>
> - the Kerberos ticket and default encryptions:
> $ kinit
> $ klist -e
>
> - any related Kerberos errors from  /var/log/krb5kdc.log
>
> Martin
-- 
Petr Vobornik

More information about the Freeipa-users mailing list